• No results found

Distributed Denial of Service Attacks

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Distributed Denial of Service Attacks"

Copied!
25
0
0

Loading.... (view fulltext now)

Download now ( 25 Page )

Full text

(1)

Distributed Denial of Service Attacks

Steve Crocker Chair, SSAC June 25, 2007

(2)

Agenda

• Types of Attacks • DDoS attacks

• Amplified DDoS attacks - 2006 • Estonia - May 2007

(3)

Types of Attacks

• Penetration

• Eavesdropping

• Man-in-the-Middle • Flooding

(4)

Penetration

• Attacker gets inside your machine

• Can take over machine and do whatever he wants

• Achieves entry via software flaw(s), stolen passwords or insider access

(5)

Eavesdropping

• Attacker gains access to same network • Listens to traffic going in and out of your

(6)

Man-in-the-Middle (‘MITM”)

• Attacker listens to output and controls output

• Can substitute messages in both directions

(7)

Flooding Attack

• Attacker sends an overwhelming number of messages at your machine; great congestion • The congestion may occur in the path before

your machine

• Messages from legitimate users are crowded out • Usually called a Denial of Service (DoS) attack,

because that’s the effect.

• Usually involves a large number of machines, hence Distributed Denial of Service (DDoS) attack

(8)

Effects of Attacks

• Modification of internal data, change of programs

– Includes defacement of web sites

• Destruction of data

• Unauthorized Disclosure • Denial of Service (DoS)

(9)

Attacks and Effects

X Flooding X Eavesdropping X X MITM X X X X Penetration DoS Disc Des Mod

(10)

Denial of Service Attacks

• A Denial of Service (DoS) attack is an orchestrated traffic jam

• Purpose is to shut down a site, not penetrate it. • Purpose may be vandalism, extortion or social

action (including terrorism)

– Sports betting sites often extorted

• Large numbers of attacks -- few visible

(11)

Distributed DoS (DDoS)

• Most common DoS attacks use thousands of computers

– Sometimes hundreds of thousands

• Individual computers (“zombies”) are

penetrated and marshaled into common force (“bot armies”)

• Tools easily available

(12)

Amplified DDoS Attacks

• New wrinkle observed last year

• Bots send DNS queries with false return addresses

• Responses are aimed at target

(13)

January - February, 2006

• Authoritative TLD DNS servers attacked • Variant of a well-known DDoS attack

• Attacks generated from 2 - 8 Gbps • Failures occurred at multiple points

• Resulted in disruption of DNS services

• Included many TLDs without any apparent motive in most cases

(14)

...

Attacker

...

(3) Open resolvers ask bar.<tld> for

record “foo” (1) Attacker directs

zombies to begin attack

(2) All zombies send DNS query for record “foo”

in domain “bar.<tld>” to open recursive servers and set source IP=10.10.1.1

Zombies

(15)

One Attack

Graph of responses to monitoring probes by the authoritative nameservers for a TLD before, during, and after an attack in February 2006.

Vertical Axis shows the six TLD Server IP addresses. Red shows complete failure to answer, yellow indicates slow answers. For reference, Servers 1 and 4 show lesser impact than Servers 2, 3, 5, and 6. The horizontal axis shows actual time. This attack lasted 14 minutes.

(16)

Attack Metrics (1)

• 51,000 open recursive servers were involved

• 55 byte query resulted in a 4,200 byte response, for a 1:76 amplification

• 8 gbps attack requires a total of 108 mbps of queries. • Each recursive server saw 2,100 bytes of queries, or 38

qps, and responded with 160 kbps in answers

• Assuming compromised hosts have minimum 512kb

(17)

Attack Metrics (2)

• Source networks would see no effect

• Recursive servers saw minimal traffic or query increase • Victim network providers had catastrophic experience • Victim DNS provider was sent the equivalent of 150

million qps

(18)

Estonia Attack

• Estonia

• Protests & Cyber Attacks • Response

(19)

Estonia

• 1.4 million people

• Substantial ethnic Russian minority • Extensive Internet use

– Banking, voting, petrol purchase, etc. – 60% use Internet daily

– “Real life” and Internet intermingled

(20)

Protests & Cyber Attacks

• Relocation of Russian statue triggered protests

– Outside Estonia as well as inside

• Defacement and DDoS

• Attacks were dominated by bot armies • Almost all traffic came from outside

(21)

Response

• Excellent coordination inside Estonia

– CERT, ISPs

• Technical people and government

institutions communicated, cooperated • Help from outside

(22)

References

• mp3 talk from Hillar Aarelaid

http://www.ripe.net/ripe/meetin gs/ripe-54/presentations/friday.html. mp3: http://www.ripe.net/ripe/meetin gs/ripe-54/podcasts/plenary-10.mp3

(23)

Comments & Possible Policy Options

• DDoS attacks are a serious problem

– Good hygiene protects against penetration – No good protection against DDoS

• Coordinated community action required • CERTs, etc. good for response

(24)

Two Specific Actions

• Require address validation

– All packets coming into a network must have a valid return address

– Won’t solve the full problem but will reduce a large range of attacks

• Label and prioritize traffic coming from protected sources

(25)

References

SAC004 Securing The Edge (17 October 2002)

SAC008 DNS Distributed Denial of Service (DDoS) Attacks (31 March 2006)

http://www.icann.org/committees/

References

Download now ( PDF - 25 Page - 3.75 MB )

Related documents

SONDERFORSCHUNGSBEREICH 504

confidence coefficient time horizon risk-controlled fund investment calculation of the Value-at-Risk condition of risk- controlled capital protection stochastic process of

AVA Victorian Division Annual Conference 2016

Annual Conference 2016 Keynote speaker Dr David Vail Equine Lectures on Friday of conference... about

DEBT, DONORS AND THE DECISION TO GIVE 1

14 The results here might suggest that nonprofits that do increase unsecured liabilities might successfully use their weakened financial position as a fundraising tool, or that

A converse bound for cache-aided interference networks

We obtain an information-theoretic lower bound on both the peak normalized delivery time (NDT), and the expected NDT of cache-aided interference networks with uniform

Member Service Centre Phone Fax Web

From health insurance to travel insurance, home and contents to automotive insurance – members can save through the CPSU’s arrangements with Union Shopper and Member

De Nieuwe Bijbelvertaling en de stijl van de geschriften van het Nieuwe Testament

Beoordeeld aan de hand van contemporaine retorica is de stijl van het Nieuwe Testament, zo bleek ons, die van het gewone, weinig ver- zorgde, dagelijkse taalgebruik (Cicero), het is

[S205.Ebook] Download Confessions Of A Hotwife Hotwife And Cuckold Stories The Hotwife Diaries Book 2 By Katie Cramer.pdf

Well, everybody has their very own reason should read some publications Confessions Of A Hotwife: Hotwife And Cuckold Stories (The Hotwife Diaries Book 2) By Katie Cramer Mostly,